From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dkg@fifthhorseman.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 054016DE14AA
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 15:16:35 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.18
X-Spam-Level: 
X-Spam-Status: No, score=-0.18 tagged_above=-999 required=5 tests=[AWL=0.021, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id b2gOCeITo05T for <notmuch@notmuchmail.org>;
 Sun, 26 May 2019 15:16:34 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118])
 by arlo.cworth.org (Postfix) with ESMTPS id 0EC306DE13FF
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 15:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; 
 d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; 
 s=2019; t=1558908979; h=from : to : subject : date : 
 message-id : in-reply-to : references : mime-version : 
 content-transfer-encoding : from; 
 bh=rn8t3Apq30KsvP2Nwf6ksuId4JlxMs8qJ/T1J+DMP0k=; 
 b=HFuIFJwTGtg625zWGBtS1LmsDuQM7TqVugiv2JAsD92lmTtW+pCyoWIc
 CF2IvcPFVH9IZc2UqFwhZI1GvcB9Bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; 
 i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1558908978; 
 h=from : to : subject : date : message-id : in-reply-to : 
 references : mime-version : content-transfer-encoding : 
 from; bh=rn8t3Apq30KsvP2Nwf6ksuId4JlxMs8qJ/T1J+DMP0k=; 
 b=NpZVVIPRgT0OWg4pZOGLpGhiM2y2VlrMESdeiu9wCoui5E7uy/iVP5CQ
 VTk+N+u5tGxXkRjQxD+omm7heaw+mgaSLiUnLRwBuUK5P4SfmKJU/FZXN6
 kmtQYyrJTtMTxMQi/dF+rsUV3CqiEAztXf7/RN39dxkm4gN3EYjx3wlsvj
 i4NhR+rkynPa86c44PVn6DxCLqofMcBVRyxADFL1jMZ9omIDFDuNW/PCTb
 bRgOpIZ7883nXRC9bCWRC7LNgC+57lq+OQIFZ914fAq6xVSkqWwu6I5gqg
 C6i3BHrGOPULxIMSbjUN8ktCyXJmWmeZcF/IAZQWY6qJV5ZY6wiQ7Q==
Received: from fifthhorseman.net (cpe-74-71-53-242.nyc.res.rr.com
 [74.71.53.242])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by che.mayfirst.org (Postfix) with ESMTPSA id 616FCF9A8
 for <notmuch@notmuchmail.org>; Sun, 26 May 2019 18:16:18 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 959932143E; Sun, 26 May 2019 18:16:14 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH v2 16/17] test: reply (in cli and emacs) should protect
 indexed sensitive headers
Date: Sun, 26 May 2019 18:16:09 -0400
Message-Id: <20190526221610.2833-17-dkg@fifthhorseman.net>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190526221610.2833-1-dkg@fifthhorseman.net>
References: <20190526221610.2833-1-dkg@fifthhorseman.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Sun, 26 May 2019 22:16:35 -0000

These tests are currently broken!  When a protected subject is indexed
in the clear, it leaks in the reply headers :(

For emacs, we set up separate tests for when the protected header is
indexed in the clear and when it is unindexed.  neither case should
leak, but the former wasn't tested yet.

We will fix the two broken tests in a subsequent patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T356-protected-headers.sh       |  7 +++++
 test/T358-emacs-protected-headers.sh | 45 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index cbed3781..746c4760 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -99,6 +99,13 @@ output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.or
 test_json_nodes <<<"$output" \
                 'subject:[0]["subject"]="This is a protected header"'
 
+test_begin_subtest "indexed protected subject is not visible in reply header"
+test_subtest_known_broken
+output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org')
+test_json_nodes <<<"$output" \
+                'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
+                'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
+
 test_begin_subtest "verify correct protected header when submessage exists"
 output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org)
 test_json_nodes <<<"$output" \
diff --git a/test/T358-emacs-protected-headers.sh b/test/T358-emacs-protected-headers.sh
index a631223e..765511d4 100755
--- a/test/T358-emacs-protected-headers.sh
+++ b/test/T358-emacs-protected-headers.sh
@@ -51,6 +51,29 @@ This is the sekrit message
 EOF
 test_expect_equal_file EXPECTED OUTPUT
 
+# notmuch-emacs still leaks the subject line; as long as it leaks the
+# subject line, it should emit the external subject, not the protected
+# subject, even if it knows what the true subject is:
+test_begin_subtest "Reply within emacs to a message with protected headers, not leaking subject"
+test_emacs "(let ((message-hidden-headers '()))
+	    (notmuch-show \"id:protected-header@crypto.notmuchmail.org\")
+	    (notmuch-show-reply)
+	    (test-output))"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: test_suite@notmuchmail.org
+Subject: Re: Subject Unavailable
+In-Reply-To: <protected-header@crypto.notmuchmail.org>
+Fcc: ${MAIL_DIR}/sent
+References: <protected-header@crypto.notmuchmail.org>
+--text follows this line--
+<#secure method=pgpmime mode=signencrypt>
+test_suite@notmuchmail.org writes:
+
+> This is the sekrit message
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
 # protected headers should behave differently after re-indexing
 test_begin_subtest 'defaulting to indexing cleartext'
 test_expect_success 'notmuch config set index.decrypt true'
@@ -67,4 +90,26 @@ End of search results.
 EOF
 test_expect_equal_file EXPECTED OUTPUT
 
+# notmuch-emacs still leaks the subject line:
+test_begin_subtest "don't leak protected subject during reply, even if indexed"
+test_subtest_known_broken
+test_emacs "(let ((message-hidden-headers '()))
+	    (notmuch-show \"id:protected-header@crypto.notmuchmail.org\")
+	    (notmuch-show-reply)
+	    (test-output))"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: test_suite@notmuchmail.org
+Subject: Re: Subject Unavailable
+In-Reply-To: <protected-header@crypto.notmuchmail.org>
+Fcc: ${MAIL_DIR}/sent
+References: <protected-header@crypto.notmuchmail.org>
+--text follows this line--
+<#secure method=pgpmime mode=signencrypt>
+test_suite@notmuchmail.org writes:
+
+> This is the sekrit message
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
 test_done
-- 
2.20.1